Thursday, March 31, 2011

We did not really make a breakthrough in the last years on the questions of - Identity Provider Discovery- security and privacy UI- Identity in the Browser- intelligent agents or what ever you call them- openid UI- add your favorite here...

Although we did not have a lack of efforts to solve some of these issues- cardspace- openinfocard- azigo's selector- Kantara login ULX- openidsamplestore.com- Janrain's Engage- ...

We really need browser support. So lets start - again - with: Identity in the Browser.

Requirements: - user centric- ask for user consent before leaking information.- help the users discover the reusable identities they already have.- don't favor any identity provider.- not to many user choices. Keep it simple.- allow the site to detect whether or not identity in the browser is supported or not.

I created a Firefox addon that tries to achieve just that.http://ignisvulpis.blogspot.com/2011/03/openid-for-firefox4.htmlOr at least go in that direction. I concentrated on openid support but I think it is easy to generalize from there.

The DOM level API that allows the site to query the preferred identity provider looks like this:

window.openid.getPreferredOpenidProvider(callback);

The site can detect support by testing for the new child of the window object to be present:

if (window.openid) { don't show the nascar }

Maybe I should not have named this "window.openid" but "window.identity"?!I guess that is for the W3C to decide. They just added another event to Identity-May:"W3C Workshop on Identity in the Browser"

I really hope that we get W3C support for Identity. It is not important whether this is called window.openid or navigator.openid or whatever. We have a nice example for another W3C API: Geolocation and I modelled my Identity API suggestion along those lines.

What next?I) The UI of my addon is not that polished.

a) In this case the file-url is especially ugly and in this case there are not that many alternatives.In the website case the addon could- show the site's URL - show the site's favicon instead of URL- show the site's icon from the extended validation certificate- show the site's "other icon" which I don't know how to get in a standardized way- show the site's name / title from the webpage- show the site's name from the certificate

b) Should I show which openid the addon is going to provide to the site?Actually the user does not really care whether this is an openid or whatever. Here the addon could- show the user's openid.claimed_id- show the user's openid.identity- show the OpenID Provider's (OP) favicon from the openid.op_endpoint- show the user's icon/image provided by the OP- let the user add an icon to that openid

II) Should the addon use the Firefox notification-box or the newer notification popups?The notification box might be to easy to fake by a website but then there is no real point in faking it. Or is it?

III) Learning new OpenIDs notification popupHere the addon could- show the user's openid.claimed_id (as seen in the picture above)- show the user's openid.identity- show the OpenID Provider's (OP) favicon from the openid.op_endpoint- show the user's icon/image provided by the OP- let the user add an icon to that openid

IV) Does the user already have reusable Identities?- The addon could just open a tab that shows the OpenID Foundation's "get an openid" page.- I implemented a feature where the browser helps the users find their reusable identities. The browser knows a lot about the sites the user visited and might have stored the user's credentials for some sites. My implementation iterates through all domains with stored credentials and requests the Yadis XRD. If the XRD contains openid information then the domain is shown as an potential "openid you might already have".This feature is not in the version I have uploaded to Mozilla.- The addon could use Mozilla's Firefox Sync openid provider. Which would violate the rule not to prefer some identity providers...

V) Mobile supportFirefox mobile is out. The addon currently does not support Firefox mobile. Which brings me to the next point.

VI) The addon could add identities (openids) to form input fields from a context menu. Right click the page or input element and a choice is presented to the user to input the openid into that input field. But on the other hand this should be done better by the site's javascript code after it has detected support through the DOM API.

VII) Support identities issued by mobile operators. Should be easy... Support mobile wallets.

VII) The openid icon in the url-bar might be too much for other providers. I don't care for now.

The addon then asks the user for her consent to provide the openid to the site:

Clicking the openid urlbar icon inserts the openid to an appropriate input field on the page. If the addon did not learn an OpenID in the past it opens the OpenID Foundation's "Get An OpenID" page"

Google's openidsamplestore does NOT put an id or name on the input fields making it impossible for the addon to determine the correct input field. Shame on you Google! You can drag the OpenID urlbar icon to the correct field to insert your OpenID into the field.

Thursday, March 03, 2011

I just committed some new code to the xmldap code repository. WebToken.java signs and encrypts JSON Web Tokens and WebTokenTest.java contains the JUNIT tests. These tests also show how WebToken.java is used.

Today I added Password Based Encryption (PBE) and AES encryption.

PBE uses PBEWithMD5AndDES with DESede.AES is used in CBC mode.

PBE and RSA encryption yield in a three segment token:jwtHeaderSegment.jwtKeySegment.jwtCryptoSegmentwhere - the header segment describes the algorithm and key used,- the key segment contains the encrypted key that is actually used to encrypt the payload- the crypto segment contains the encrypted content.As always each segment is base64 url encoded.

AES encryption yields in a two segment token:jwtHeaderSegment.jwtCryptoSegmentThe jwtKeySegment is not needed because AES uses a shared secret to encrypt the payload. It makes no sense to put this secret key into the token.

PBE and RSA encryption generate the encryption key and therefore this key is encrypted and send as the jwtKeySegment. JSON WebToken encryption with RSA was explained in yesterdays blog post.

Wednesday, March 02, 2011

This works by generating a ephemeral symmetric key with a specified keylength (128, 192, 256 bits) that is encrypted using the recipient's public RSA key. The ephemeral symmetric key is used to encrypt the payload using AES in CBC-mode with PKCS7 padding.Depending on the key length the algorithms are called RE128, RE192 and RE256.

The following is an example of a JSON object that can be encoded to produce a JWT Claims Object:

{"iss":"joe", "exp":1300819380, "http://example.com/is_root":true}

The following example JSON header object declares that the encoded object is a JSON Web Token (JWT) and that the JWT Payload Segment is encrypted using the RE256 algorithm and that the RSA public key has the thumbprint of b9E8JDWjYefFiM0X9V9a098Bd6ZsFyemogCEX016uIw:

Base64url encoding this byte array produces this value for the JWT Key Segment:lnOHwoU2iUGmCEFzNRZKqBsdiLR6j0XBWurjTgFCxT7eSfGNpni01a3TzuaeZjVc_f3jEiuvJFYFanizkpyk9BGqCNs5LhX2m1h2Qc_llKt3TgGRi67e9p36vX81G8-QccnNQ321vutKYe2jlEvcg0hhWhejhbtK2XjsKkMaJDzEDuULbJmnAFgchSdbcYgz0JK6onX_1tO2FWed0r-EK0v9v7Y65pwz_nrYf2u8f5-j5aX2RUEYVx0sq2oaJZbbp26QmUGVPdnnEgOVI6vpL5-M6Gl1q9j645Ag94Sx9HpQcg8KEUVLfK3BfbLYGnIf-kFP8fROHuIHAMdiPD4ong

Using the symmetric key to AES256 encrypt the payload bytes and base64url-encoding the resulting bytes yields the JWT Crypto Segment:L2ZFNFVQcCtjdWw1QTVZSGw0bUhGRDZ6NDlkNFFtRWQ1a0VBSGUzNzN3V0txY29MZmRHWkhrRUtYMUJNRWl4dzQ0RHlZcmN6TWg4WWEvN04wdUYrc01UeWlYUXBYdmV6a2JvWWd2aFQzeS9OZkpoZ2doSTN6bmViTnVwZHNZZFI

Combining these segments in the order Header.Key.Crypt with period characters between the segments yields this complete JWT using the JWT Compact Serialization (with line breaks for display purposes only):